[Wow] [8.0.1.27219]

[hunterz2000]

Code:

Player: 
===========
Player Name: 2C6E558
LocalPLayerGUID:  2795870
ZoneID:  2404AA4
IsTexting: 273A164
ActionBarFirstSlot:  2BA33E0

Entity List
===========
EntityList	= 27F8908
FirstEntity	= 18
 NextEntity	= 70



Spellbook:
===========
Cooldown: 0x2609F78



Targeting:
===========
activeTargetGUID = 0x261DFB0
FocusTargetGUID = 0x261E008
MouseOverGUID =  0x2B505D8

[maltikism]

To clarify... Is injection now mandatory in order to target offsets (due to memory obfuscation)? I've not been able to get any offsets working and Cheat Engine is returning the battlenet client as the module containing any of the WoW data objects.

[doityourself]

To clarify... Is injection now mandatory in order to target offsets (due to memory obfuscation)? I've not been able to get any offsets working and Cheat Engine is returning the battlenet client as the module containing any of the WoW data objects.

The bnet client has nothing todo with wow. Something went wrong for you then. You want to read only? no injection needed.

[MrNoble]

Code:

EntityList: 0x27F8908
LocalPLayerGUID: 0x2C6E540

NameCacheBase: 0x23F1488
NameCacheNext: 0xF0
NameCacheGuid: 0x20
NameCacheName: 0x31
NameCacheRace: 0x70
NameCacheClass: 0x78

CameraBase: 0x2B846B0
CameraOffset: 0x3330
CameraOrigin: 0x10
CameraMatrixX: 0x1C
CameraMatrixY: 0x28
CameraMatrixZ: 0x34
CameraFov: 0x40

LastHardwareAction: 0x270B018

[evil2]

To clarify... Is injection now mandatory in order to target offsets (due to memory obfuscation)? I've not been able to get any offsets working and Cheat Engine is returning the battlenet client as the module containing any of the WoW data objects.

out of process is working fine ;-)

i don't know what exactly you looking for, but remember everything is 64 bit now, so a lot of relative addressing is going on.

example:
someone posted 0x201EAD0
you won't find anything pointing to this address with the cheat engine search, because it's accessed in a relative way.
take this wow code line:
Wow.exe+25BB58 48 8D 0D 71 2F DC 01 lea rcx, [Wow.exe+201EAD0]
the current code pos + 0x01DC2F71 is pointing to 0x201EAD0.
Addressing mode - Wikipedia

[imzz]

Code:

FrameScript_ExecuteBuffer = 0x306B70;
FrameScript__GetText = 0x303880;

Code:

                //FrameScript_ExecuteBuffer CALL
                asm.AddRange(new byte[] { 0x48, 0x83, 0xEC, 0x20 }); //    sub     rsp, 20h
                asm.AddRange(new byte[] { 0x45, 0x33, 0xC0 }); //    xor     r8d, r8d
                asm.AddRange(new byte[] { 0x48, 0xBA }); //   mov     rdx, path
                asm.AddRange(BitConverter.GetBytes(DoStringArg_Codecave.ToInt64())); // address
                asm.AddRange(new byte[] { 0x48, 0xB9 }); //   mov     rcx, src
                asm.AddRange(BitConverter.GetBytes(DoStringArg_Codecave.ToInt64())); // address
                asm.AddRange(new byte[] { 0x48, 0xB8 }); //    mov     rax,
                asm.AddRange(BitConverter.GetBytes(IntPtr.Add(Memory.BaseAddress, (int)Offsets.FrameScript_ExecuteBuffer).ToInt64())); // address 
                asm.AddRange(new byte[] { 0xFF, 0xD0 }); //    call rax
                asm.AddRange(new byte[] { 0x48, 0x83, 0xC4, 0x20 }); //  add   rsp,0x20
                asm.AddRange(new byte[] { 0xC3 }); // //retn

Does anyone know the CGUnit_C__Interact offset and the parameters of the call?

[DarkLinux]

Does anyone know the CGUnit_C__Interact offset and the parameters of the call?

Code:

typedef int (FASTCALL  *p_CGUnit_C__Interact) (PVOID _this);
p_CGUnit_C__Interact Unit_C__Interact = (p_CGUnit_C__Interact)(0x009EA860 + (DWORD64)GetModuleHandle(NULL));

Tested and working.

[imzz]

Code:

typedef int (FASTCALL  *p_CGUnit_C__Interact) (PVOID _this);
p_CGUnit_C__Interact Unit_C__Interact = (p_CGUnit_C__Interact)(0x009EA860 + (DWORD64)GetModuleHandle(NULL));

Tested and working.

Thanks @DarkLinux
I found 0x009EA860 + GetModuleHandle is obfuscated code?,
code:
xor rcx, rcx jmp xxxx

It doesn't seem to be a function，

I tried to use my code,

Code:

                Wow.WowHook.Memory.Write<UInt128>(Codecave, guid);
                var asm = new List<byte>();
                asm.AddRange(new byte[] { 0x48, 0x83, 0xEC, 0x10 }); //    sub     rsp, 10h
                asm.AddRange(new byte[] { 0x48, 0xB9 }); //   mov     rcx , Codecave
                asm.AddRange(BitConverter.GetBytes(Codecave.ToInt64())); // GUID Codecave Ptr
                asm.AddRange(new byte[] { 0x48, 0xB8 }); //    mov     rax,
                asm.AddRange(BitConverter.GetBytes(IntPtr.Add(Cp.Wow.WowHook.Memory.BaseAddress, (int)Offsets.CGUnit_C__Interact).ToInt64())); // address 
                asm.AddRange(new byte[] { 0x48, 0x83, 0xC4, 0x10 }); //  add   rsp,0x10
                asm.AddRange(new byte[] { 0xC3 });  //retn
                Wow.WowHook.InjectAndExecute(asm.ToArray());

but it didn't work, I don't know where the problem is?

[DarkLinux]

Your problem looks to be that you're sending a GUID and not the object pointer. You can also just call 9EA430 (PVOID this, DWORD 0), the offset I gave you jsut xors and jump to the real function, not obfuscated. Also if you are going to allocate stack space use 20h, 8 x 4, for rcx, rdx,r8 and r9. Are you moving the function address into rax? I dont see you calling it...

should be something like

Code:

sub rsp, 20h
mov rcx, [TargetObjectPointer]
xor rdx, rdx
mov rax, [InteractAddress]
call rax
add rsp, 20h
ret

[LunaBoy]

Code:

typedef int (FASTCALL  *p_CGUnit_C__Interact) (PVOID _this);
p_CGUnit_C__Interact Unit_C__Interact = (p_CGUnit_C__Interact)(0x009EA860 + (DWORD64)GetModuleHandle(NULL));

Tested and working.

When the wow is upgraded , How to get CGUnit_C__Interact offsets address?